NotPetya/Goldeneye = Cyber Weapon Camouflaged as Ransomware

“The Punishment of Russian Pirates” published in A General View of the World, 1807. Copper engraved print with recent hand colour.

Anonymous expert compilation, analysis, and reporting.

From all perspectives, this points at Russia.

Russia has the means, the history, the motive, and the expertise.

By revealing this to be a cyber weapon and removing the possibility this is a ransomware worm for making money, this is, most certainly, a state-sponsored cyber weapon.

This first hit Ukraine. Russia is at war with Ukraine on many different levels, all short of a declared and overt war. This fits the profile of Russia waging a sub-threshold unconventional war on another sovereign state, Ukraine.

Russia is deserving of special scrutiny by the UN. Of a special trial on special charges by the World Court. Of a special punishment never issued before, because Russia is deserving.

</end editorial>

The “ransomware attack” that started in Ukraine this week, and propagated globally, was in the assessment of cybersecurity researchers, not a genuine “ransomware attack”. This is because the malware employed had a crippled mechanism for providing payment notifications, and apparently, no mechanism for distribution of decryption keys. Put differently, it could not be used to collect ransom from its victims.

This in turn indicates the intent of the malware was simply destruction of data, and paralysis of operations in organisations afflicted by the malware. The malware fits the definition of a “persistent denial of service cyber-weapon”.

The attackers were thinking in a strategic manner, as they targeted a vendor of accounting software used as a mandatory tool for taxation purposes, the vendor’s server used for distribution of software updates then infected all of the clients’ systems with the malware, that then propagated via the local networks in the client organisation to every other susceptible computer. A well thought through attack with a strategy intended to effect rapid propagation and a maximum of damage.

The initial victims were all Ukrainian organisations using the accounting software, which by default was much of the nation’s commercial sector. Hardest hit were organisations where the local network allowed infected computers to find other susceptible computers, and infect them.

While a cyber-criminal might be clever enough to contrive such a scheme, the thinking behind it fits the military model. That the malware lacked proper provisions to collect ransom shows that the author(s) were inept in cyber-criminal thinking, but very adept in military thinking.

The consensus is that the Russians are behind this. They had both strong motives and opportunities.

Given the scale of the global collateral damage produced, Russia could be seriously out of pocket if sued for commercial losses. Whether that happens remains to be seen.

We’re All Russia’s Neighbors NowEstonians were getting hacked by Russia long before it was cool. Ukrainians had to deal with Kremlin interference in their elections before it became trendy. Georgia and Moldova had to live with disinformation, fake news, and active measures before these things became fashionable catchphrases. It’s a good idea to pay very close attention to what Russia does to its neighbors, because it often foreshadows things Moscow will later try out farther to the West. “To try to understand Russia’s intervention and undermining of the U.S. election, you have to first understand Russia’s use of active measures to undermine Russia’s own neighbors,” Mark Simakovsky, a senior fellow at the Atlantic Council, told Snopes. “The most recent examples of that are not only in Ukraine but also in Georgia, Estonia, Latvia, and other countries in Russia’s periphery.” And in this sense, we’ve all become Russia’s neighbors. We’ve all become Ukrainians, Georgians, Estonians, Latvians, and Lithuanians. We’re all part of Russia’s so-called “near abroad.”

The Morning Vertical, June 29, 2017ON MY MIND When Ukraine was hit with a massive cyberattack earlier this week, suspicion quickly fell on Russia. And why not? Russia is widely believed to have been behind a series of attacks that hit Ukraine in recent years, most notably attacks on the country’s energy grid in 2015 and 2016. But when the attack spread to other countries, including Russia, and appeared to be a ransomware outbreak, it appeared that this time Moscow was not the culprit. But now cybersecurity experts are beginning to take another look. According to a piece in Wired (featured below) by Andy Greenberg, who has written extensively about cyberattacks in Ukraine, security experts (and not just in Ukraine) think the attack may have “originated as a state-sponsored, Ukraine-focused disruption campaign rather than a moneymaking venture.” There is still a lot we don’t know and odds are that this was a ransomware attack aimed at making money. But the experts are not yet ruling Russia out as a culprit. And due to Russia’s recent history of cyberattacks in Ukraine and elsewhere, Moscow has put itself in a position where it is going to be a natural target of suspicion every time something like this happens.

Is This Petya, NotPetya, GoldenEye, ExPetr, Or PetrWrap? – Information Security BuzzWe strongly recommend not paying the ransom. There is no longer a mechanism to give the victim the decryption key for paying the ransom as the email address to communicate with the attacker has been deactivated. The payment mechanism is very weak and is linked to just a single email address, which is no longer accessible. Even if a victim were to pay the ransom into the appropriate BitCoin wallet the attacker now has no means to share the decryption key. Obtaining unencrypted files is now much more problematic, although decryption tools may soon become available from third parties. Occasionally a business may decide to pay the ransom demand, but in the case of Petya it is no longer worthwhile.

How a sophisticated malware attack is wreaking havoc on Ukraine | PBS NewsHourGovernments and industries the world over are trying to deal with a new cyberattack, originatingTuesday in Ukraine and spreading rapidly through Europe and beyond. The new attack shows signs of greater technical sophistication than one in early May, but both apparently used a leaked tool developed by the NSA. Hari Sreenivasan speaks with Rodney Joffe of Neustar, Inc., about what’s at stake.

As firms gauge cost, Ukraine says cyberattack under control – Fifth Domain | CyberPARIS (AP) — The data-scrambling software epidemic that paralyzed computers globally is under control in Ukraine, where it likely originated, officials said Wednesday, as companies and governments around the world counted the cost of a crisis that is disrupting ports, hospitals and factories. In a statement published Wednesday, the Ukrainian Cabinet said that “all strategic assets, including those involved in protecting state security, are working normally.” The same couldn’t be said for India’s largest container port, where one of the terminals was idled by the malicious software, which goes by a variety of names including ExPetr. M.K. Sirkar, a manager at the Jawaharlal Nehru Port Trust in Mumbai, said that no containers could be loaded or unloaded at the terminal operated by shipper A.P. Moller-Maersk on Wednesday. In a statement, Moller-Maersk acknowledged that its APM Terminals had been “impacted in a number of ports” and that an undisclosed number of systems were shut down “to contain the issue.” The company declined to provide further detail or make an official available for an interview. At the very least, thousands of computers worldwide have been struck by the malware, according to preliminary accounts published by cybersecurity firms, although most of the damage remains hidden away in corporate offices. Some names have trickled into the public domain as the disruption becomes obvious. In Pennsylvania, lab and diagnostic services were closed at the satellite offices of Pennsylvania’s Heritage Valley Health System, for example. In Tasmania, an Australian official said a Cadbury chocolate factory had stopped production after computers there crashed. Other organizations affected include U.S. drugmaker Merck, food and drinks company Mondelez International, global law firm DLA Piper, London-based advertising group WPP. As IT security workers turned their eye toward cleaning up the mess, others wondered at the attackers’ motives. Ransomware — which scrambles a computer’s data until a payment is made — has grown explosively over the past couple of years, powered in part by the growing popularity of digital currencies such as Bitcoin. But some believed that this latest ransomware outbreak was less aimed at gathering money than at sending a message to Ukraine and its allies. That hunch was buttressed by the way the malware appears to have been seeded using a rogue update to a piece of Ukrainian accounting software and the timing — coming the same day as the assassination of a senior Ukrainian military intelligence officer in the nation’s capital and a day before a national holiday celebrating a new constitution signed after the breakup of the Soviet Union. Suspicions were further heightened by the re-emergence of the mysterious Shadow Brokers group of hackers, whose dramatic leak of powerful NSA tools helped power Tuesday’s outbreak, as it did a previous ransomware explosion last month that was dubbed “WannaCry.” In a post published Wednesday, The Shadow Brokers made new threats, announced a new money-making scheme and made references to what happened Tuesday. “Another global cyber attack is fitting end for first month of theshadowbrokers dump service,” the group said, referring to a subscription service which purportedly offers hackers early access to even more of the NSA’s digital break-in tools. “There is much theshadowbrokers can be saying about this but what is point and having not already being said?” Few take Shadow Brokers’ threats or their ostentatious demands for cash at face value, but the timing of their re-emergence dropped another hint at the spy games possibly playing out behind the scenes.

‘NotPetya’ ransomware attack shows corporate social responsibility should include cybersecurity [Commentary] – Fifth Domain | CyberFifth Domain is a news and information resource that brings civilian, defense, industry, private sector and critical infrastructure stakeholders together in one place for a holistic discussion on cybersecurity, both defense and offense. The cyberwar is here. Fifth Domain has it covered. As the “NotPetya” ransomware attack spreads around the world, it’s making clear how important it is for everyone – and particularly corporations – to take cybersecurity seriously. The companies affected by this malware include power utilities, banks and technology firms. Their customers are now left without power and other crucial services, in part because the companies did not take action and make the investments necessary to better protect themselves from these cyberattacks. Cybersecurity is becoming another facet of the growing movement demanding corporate social responsibility. This broad effort has already made progress toward getting workers paid a living wage, encouraging companies to operate zero-waste production plants and practice cradle-to-cradle manufacturing – and even getting them to donate products to people in need. The overall idea is that companies should make corporate decisions that reflect obligations not just to owners and shareholders, customers and employees, but to society at large and the natural environment. As a scholar of cybersecurity law and policy and chair of Indiana University’s new integrated program on cybersecurity risk management, I say it’s time to add cyberspace to that list. Online security affects everyone The recent WannaCry ransomware attack affected more than 200,000 computers in 150 nations. The results of the attack made clear that computers whose software is not kept up to date can hurt not only the computers’ owners, but ultimately all internet users. The companies hit by the NotPetya attack didn’t heed that warning, and got caught by an attack using the same vulnerability as WannaCry, because they still haven’t updated their systems.

Ransomware Remixed: The Song Remains the Same – To Inform is to InfluenceBy Trey Herr Wednesday, June 28, 2017, 10:11 AM DayZero: Cybersecurity Law and Policy Another month, another ransomware epidemic. Broadsheets are screaming panic while companies yell back that All Is Well and Ukraine shows the world what gifs can do for incident response. Twitter is abuzz with the rapid, globalized forensics effort of a legion of amateurs and…